Posted
by
Soulskillon Saturday January 14, 2012 @02:39PM
from the measuring-failure-in-decades dept.

An anonymous reader sends this quote from an article at the San Francisco Chronicle:
"Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called 'an infestation' of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned. At work for more than a decade, the viruses were detected a few days after Thanksgiving, when the college's data security monitoring service detected an unusual pattern of computer traffic, flagging trouble."

After years of explaining this to people, I have come to the conclusion that no matter what people are going to do it. Simply put, if banks allow people to log in to their accounts from random computers, people are going to do so without any regard for security. It is convenient, and the one thing you can expect people to do is something that is convenient.

Yeah, that's not something that I ever do. I logged into my email one time from a random computer, but that's the only time. I did change my password shortly thereafter and didn't have any trouble.

These days what I do is run a virus scan from a write only thumbdrive before I do anything at all on a strange computer. (If anybody is curious, I'm using a kanguru flashblu 2 with a portable antivirurs program and it works just great for that)

These days what I do is run a virus scan from a write only thumbdrive before I do anything at all on a strange computer. (If anybody is curious, I'm using a kanguru flashblu 2 with a portable antivirurs program and it works just great for that)

If you're making the effort, you could just as well keep an Ubuntu live-boot USB key.

Your only security worry then would be hardware keyloggers, and you'd get the considerable bonus of not having to suffer a strange computer's browser - few things are more horrifying than IE with only half the window's real-estate usable for plugins.

The only problem with that is that you're not necessarily going to be able to get online in that fashion. True it is more secure, but by the same token if one needs to go online one is going to have to take some risks.

And since it wasn't clear, I don't personally visit banking sites like that nor do I log into sites where I don't have a OTP as part of the log in requirements.

You can't trust the results of that scan unless you booted the machine using the thumbdrive. Otherwise, the rootkit installed on the machine will prevent the portable AV from seeing anything wrong. This is pretty basic. Yes, your process will catch a fair percentage of bad stuff. No, it doesn't make it safe at all. Of course, you may not be able to boot to your drive if the bios is out of your control or the machine's hard drive is protected with encryption. But the only way to be sure there is nothing on i

It depends what you're doing. I shouldn't have implied that I'd be typing in passwords to such a machine because you are indeed correct about that. I also shouldn't have implied that I would be logging into a banking site like that. I load up my own web browser and don't log into any site where I'm not using an OTP as part of the set up.

I'm mostly worried about viruses on the odd occasion where I'm needing to check email at a cyber cafe.

It is now a basic technique of any "respectable" virus to inject itself into the windows kernel and assure any access to infected executables or other components of the virus is being masked.So scanning an already infected system is a very, very pointless endeavour. Actually it will lull you in a false sense of security. And believe, even the best virus scanner can't do anything against that. You would have to boot your own WinPE or something from that USB stick to stand any chance against modern viruses.If

That happens a lot I am sure, there is no security, I bet the computers were running Windows XP. The local library I visit sometimes has Windows XP computers with SP2, in 2012! There needs to be a better default operating system we could deploy in these circumstances that would do a better job of security. But if there is a hardware keylogger hidden behind the machine, then the most secure OS in the world will not protect you.

I can not manage my website on their computers as I need to use port 2083 to conne

After years of explaining this to people, I have come to the conclusion that no matter what people are going to do it. Simply put, if banks allow people to log in to their accounts from random computers, people are going to do so without any regard for security. It is convenient, and the one thing you can expect people to do is something that is convenient.

It's called Dancing Pigs [wikipedia.org]. A user will most likely pick convenience over security.

And any bank that prevents logging in from public computers will be laughed out of business - people expect to be able to bank anywhere and everywhere. Even on their cellphones (they can't wait to go home and do it then...).

No way around it, unfortunately, and educating the user is a pointless exercise because they'll just go back to their old ways.

Perhaps if the bank issued them special keypad calculators that could compute transaction hashes (for two-factor authorization) things would help. But no.

Perhaps if the bank issued them special keypad calculators that could compute transaction hashes (for two-factor authorization) things would help. But no.

My bank kinda does. HSBC gives you a little red keypad thing which generates a code you need to log in with. Once in you can repeat actions you have done in the past, e.g. paying off a bill, but if you want to do something new like set up a money transfer to an account you have never sent money to before then you have to enter another code.

As a recent former student of CCSF, I find this very disturbing.
Fortunately, I always paid for my classes either in cash or by check. Never by credit card. I've always been paranoid about giving out personal information, especially online.
Now it appears that I wasn't paranoid after all. You aren't paranoid when they really are out to get you.

The worst thing is, assuming you trust the staff, a college computer lab is managed by paid staff who you would assume have some level of competence...The average home computer on the other hand is not.

The difference from a hacker's perspective is that the average home computer, while horrendously insecure and usually not managed by someone with an IT background, only has one user to steal bank details from... A lab computer may have several.

The article really doesn't clarify whether these are viruses that are detected by anti-virus software on the market, or something novel and malicious that could only be detected recently. However, the tone of the article suggests poor management and an utter lack of protection from assault, rather than some incredibly creative black hats at work:

Shortly before Hotchkiss arrived at City College, a new firewall was installed. Technicians set it up to block pornography sites, which are notorious for transmitting computer viruses.

Then faculty began complaining to Hotchkiss that students needed access to porn sites. For research.

Eventually, given examples of the academic necessity, Hotchkiss had to remove the porn block.

I can see the need for some sociology or psychology students to access porn, but only a very few on very specific projects. Methinks some faculty spanking material was the greater concern than student access to "research data" which could have been addressed by granting specific machines a bypass in the firewall configurations.

I can see the need for some sociology or psychology students to access porn, but only a very few on very specific projects. Methinks some faculty spanking material was the greater concern than student access to "research data" which could have been addressed by granting specific machines a bypass in the firewall configurations.

Methinks the porn blocker was probably overzealous*, and blocked way to much.

* In general, those blockers come in two variations: The overzealous type, which gets in the way of normal usage, or the useless type, that blocks next to nothing.

>Methinks the porn blocker was probably overzealous*, and blocked way to much.

This is the problem with filters. They don't block enough of the "bad" material and they block too much of the "legitimate" material.

For instance, I am currently in the library down the road from my house, and the filter blocks scribd of all things. But getting around the filter is as simple as going to a proxy. Access to porn is as simple as just finding something that isn't in the filter, which is surprisingly easy, like si

I don't know WTF porn sites you guys are visiting, but there are PLENTY of them out there that have no popups, no viruses, and fewer ads than MSNBC. Serioiusly. Porn sites with viruses are NOT porn sites. They are VIRUS sites that use porn to attract virus clickers. Did you learn nothing from Anna Kournikova?

And porn sites are blocked by many filters, therefore reducing the potential targets for a malware spreader...

Web distributed malware these days tends to come from legit sites, or legit banner hosts etc that have been hacked... When you have thousands of infected workstations running keyloggers it's not hard to capture a webmaster logging in to his site and then you can follow him in and add your malicious code to his genuine site.

All those things could have contributed to a security oversight. But I was answering the question of why the network would have ten-year-old equipment. CCSF has had several rounds of layoffs and course cancellations, and has had to completely drop summer courses. So under those conditions, old equipment may stick around for a while.

Do you have evidence of those assertions? Just what is it about the fact "a computer from 1999 is still running somewhere" automatically implies cluelessness? Hell, there's still computers out there from the *1950s* still running...are their operators clueless too?

I never worked there, but I was a student there, so I have some insight.
CCSF was like a lot of old educational institutions - departments have their own domains. Thus, some departments might have had good IT support, and some probably had almost none.
What is likely is that the main computer labs are fine, but the small, less-used computer labs are the ones with the problems.

That's an "old" educational system? What's a "new" educational system? What you describe seems fairly common to me (regardless of the size of the school or its age, as I've seen both in hundred+ year institutions with under 2,000 students as well as in modern for-profit educational organizations with tens of thousands (and everything in between). I know that many, many universities still do this.

Virtualization may do that. Someone virtualizes an old machine with malware, and voila, there you go. You've just perpetuated the problem indefinitely.

If they're using, say, Symantec products, it's really not difficult to see this problem being perpetuated, is it? Something from 1999 may not have had AV on it originally, but they realized later down the line it was necessary but thought it too old to be problematic... voila, instant perpetual malware vector.

From what I've seen community college IT Tends to be pretty horrible. One of them out here had a server password of "password" and remoting on. Others tend to use a generic password on everything such as Mascot1 or gomascot1

From what I've seen community college IT Tends to be pretty horrible. One of them out here had a server password of "password" and remoting on. Others tend to use a generic password on everything such as Mascot1 or gomascot1

IT Dunce A: Crap! Someone out there knows our password "gomascot1"!
IT Dunce B: No worries, I'll go ahead and change it to "gotigers1".
IT Dunce A: Phew!

FTA: "It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."
The college has a CS department providing courses for "seasoned IT professionals" (as per ccsf.edu) and nobody notices viruses on their flash drives (etc) over the past 10 years? Unlikely.

It depends upon which classes you take, of course. CCSF has a couple of smaller labs used by CS and CNIT students. The big computer labs seemed to be used primarily by students watching movies, secondarily by students writing essays or doing other sorts of homework.

I have to admit that one time, after using a flash drive on a Windows PC in the main computer lab at CCSF, and later using that flash drive on a Linux box, I noticed there was some sort of malware on my flash drive that would autoexecute on a Win

The college has a CS department providing courses for "seasoned IT professionals" (as per ccsf.edu) and nobody notices viruses on their flash drives (etc) over the past 10 years? Unlikely.

I don't think we're talking about the era of Stoned on a boot sector anymore. If this is a decade of organised crime, it's going to be a bit more sophisticated.

You might want to check out Stuxnet [wikipedia.org] before you presume any amount of caution or aptitude can so easily subvert a sufficiently developed worm. Whatever someone might think about how people "over there" do things, I feel it's a safe assumption that the professionals working at a middle-east nuclear plant would also be qualified to work at a San Francisco college.

What's right is to rely on the US justice system, which requires that there be evidence of criminal activity prior to most searches and seizures. Further, judges need to be involved in adjudicating what constitutes probable cause. That is the way forward. Technology brings new challenges to law enforcement, but it also provides new tools. It is, as always, the job of the legal community to keep learning and stay abreast of technology, same as it is for everyone else. And when corporations or individuals wan

is to write a check, stuff it in an envelope, and drop it into the US Mail to pay your bills. Offline. Making withdrawals means drive to the bank, use your passbook, withdraw cash. If there's any computer viruses involved in those, it won't be YOUR fault and should be protected by FDIC insurance. Hopefully.